b'         U.S. Department of Energy\n         Office of Inspector General\n         Office of Audit Services\n\n\n\n\nAudit Report\nReport on Critical Asset Vulnerability\nand Risk Assessments at the Power\nMarketing Administrations--Follow-\nup Audit\n\n\n\n\nDOE/IG-0842                            October 2010\n\x0c                                   Department of Energy\n                                     Washington, DC 20585\n                                          October 7, 2010\n\nMEMORANDUM FOR THE ADMINISTRATORS, BONNEVILLE POWER, WESTERN\n               AREA POWER, AND SOUTHWESTERN POWER\n               ADMINISTRATIONS\n\n\nFROM:                     Gregory H. Friedman\n                          Inspector General\n\nSUBJECT:                   INFORMATION: Audit Report on \xe2\x80\x9cCritical Asset Vulnerability and\n                           Risk Assessment at the Power Marketing Administrations--Follow-up\n                           Audit\xe2\x80\x9d\n\nBACKGROUND\n\nThe Department of Energy\'s largest Power Marketing Administrations (PMAs), Bonneville,\nWestern Area, and Southwestern, provide wholesale electric power to utilities for use in homes,\nhospitals, financial institutions and military installations. Serving the electricity supply needs of\nmillions of citizens in the western part of the United States, these PMAs maintain an elaborate\nand extensive infrastructure that includes electrical substations, high-voltage transmission lines\nand towers, and power system control centers. To protect these assets, the PMAs follow safety\nand security requirements established by the Department, the North American Electric\nReliability Corporation (NERC), and the Department of Homeland Security (Homeland\nSecurity). Under established policy, the PMAs are required to conduct vulnerability and risk\nassessments of their most critical assets to: evaluate existing security systems; analyze current\nthreat information; identify security enhancements needed to reduce risk; and, document the\nlevel of risk PMA management is willing to accept on individual critical assets.\n\nIn 2003, the Office of Inspector General reported in our Audit of Power Marketing\nAdministration Infrastructure Protection (OAS-B-03-01, April 2003) that Bonneville had\ninitiated, but not yet completed vulnerability and risk assessments; Western had conducted\ninadequate assessments; and, Southwestern had not conducted any assessments. Given the\nimportance of these efforts to safeguarding the Nation\'s electrical infrastructure, we initiated this\naudit to determine whether the PMAs had conducted vulnerability and risk assessments.\n\nRESULTS OF AUDIT\n\nMany PMA efforts essential to identifying current risks or threats and mitigating those risks\nremained incomplete at the time of our audit. While a number of activities relevant to critical\ninfrastructure protection had been initiated, the PMA\'s had not:\n\x0c       Completed and updated, when appropriate, all required vulnerability and risk\n       assessments; and,\n\n       Conducted required tests to ensure that security measures for physical assets were\n       operating as designed.\n\nFurther, Bonneville and Western had not implemented security enhancements recommended in\ncompleted risk assessments. One incident vividly illustrated the importance of actually\nimplementing security enhancements recommended in risk assessments. A 2002 risk assessment\nincluded a recommendation to install a perimeter intrusion detection system at one Bonneville\nsite. This recommendation was never implemented. Had such a system been operational, it may\nhave provided early detection of a 2009 break-in that resulted in significant equipment damage,\npreliminarily estimated at $750,000.\n\n                              Conducting and Updating Assessments\n\nThe PMAs had not completed assessments and had not consistently completed or updated\nexisting assessments on all of their power system monitoring control centers, large power\nsubstations, and switchyards; all of which had been identified as critical assets. Specifically as\nof February 2010:\n\n       Bonneville had not completed assessments on 24 of its 60 critical assets. Of the 36\n       assessments that had been completed, 32 had been done over 4 years ago. We found that\n       only nine of those assessments had been updated;\n\n       Western had not completed assessments on 19 of its 51 critical assets. Of the 32\n       assessments that had been completed, 27 had been done over 6 years ago. We found that\n       only four of those assessments had been updated; and,\n\n       Southwestern had completed an assessment of its one critical asset, an operations center,\n       more than 5 years ago, but had not updated it.\n\nBonneville, Western, and Southwestern all used the Risk Assessment Methodology-\nTransmission (RAM-T) to assess critical asset security vulnerabilities and risk. RAM-T was\nestablished by the Interagency Forum for Infrastructure Protection to develop vulnerability and\nrisk assessment tools to improve the physical security of critical infrastructure. RAM-T\nrecommends updating assessments at least every 2 years to reflect risks and vulnerabilities\nresulting from new internal/external threats identified, for example, by law enforcement officials.\nSimilar Federal entities involved in generating hydroelectricity for the power grid, such as the\nU.S. Army Corps of Engineers and the Bureau of Reclamation, recommend updating security\nassessments at least once every three years. Likewise, Western had a policy requiring updates of\nits assessments every three years. Neither Bonneville nor Southwestern had policies concerning\nthe frequency of updates.\n\nThe PMAs also use other tools and methodologies, which complement the RAM-Ts, including\nNERC compliance assessments for cyber security and Department of Homeland Security\n\n                                                 2\n\x0crequirements, to address their security needs. Specifically, the PMAs told us that they prepared\nplans and conducted assessments to ensure compliance with NERC Critical Infrastructure\nProtection (CIP) standards, which require protection of locations in which critical cyber assets\nare housed, such as computer rooms, telecommunication rooms, and operations centers. These\nefforts resulted in PMA installation of cameras and alarm and access control devices to increase\nthe protection of critical cyber assets. For example, Bonneville pointed out that it had installed\n400 cameras and 2,500 alarms and access control devices at approximately 90 of its facilities\nincluding 55 of its 60 critical asset facilities.\n\nAlthough the PMAs told us that they are compliant with NERC CIP standards, compliance with\nthese standards does not encompass all the risks and vulnerabilities considered in RAM-T\nassessments, nor the physical security enhancements needed to address such risks and\nvulnerabilities. Specifically, vulnerabilities and risks associated with critical assets such as\npower circuit breakers, capacitor banks which maintain power line voltage, and backup\ngenerators located in critical asset yards were not fully covered by the PMA efforts to comply\nwith NERC CIP standards. Further, compliance with NERC CIP standards does not fully meet\nDepartment requirements for considering updated threat information when making decisions\nregarding security postures, a key element of the risk assessment process.\n\nBonneville officials told us that they are developing a Graded Security Plan to integrate\nDepartment, NERC, and Homeland Security requirements and guidelines. The Plan, which is\npending review and approval by Bonneville\'s senior management, will establish Bonneville\'s\nrequirements for performance assessments; completion, tracking and re-validation of previous\nrisk assessments; implementation of approved recommendations; and, prioritization of resources.\nWe concluded that these are very positive steps toward meeting Bonneville\'s infrastructure\nprotection goals.\n\n                   Compliance with Department Performance Testing Policies\n\nWhile the PMAs had established procedures to meet NERC CIP standards for testing the\nfunctionality of cyber assets, such as access points into Supervisory Control and Data\nAcquisition systems used in electricity transmission systems, they had not complied with\nDepartment security performance testing policies identified in Department Order 470.3B,\nGraded Security Protection Policy; Department Manual 470.4-2A, Physical Protection; and,\nDepartment Manual 470.4-1, Safeguards and Security Program Planning for physical assets.\nThese policies, for example, require tests to ensure that security protection measures are\nperforming as intended. Such tests are important to identify security vulnerabilities in critical\nassets such as substations and control centers.\n\nThe failure to test security measures is a long-standing issue. In 2007, Bonneville had identified\nthe lack of testing as a problem in an assessment of its highest ranked critical asset and noted that\nwithout a testing program, security effectiveness could only be subjectively estimated based on\nknowledge of what security components have been installed and expectations of what the\ncomponents are supposed to do. Again in 2009, the Department noted that Bonneville lacked a\nperformance testing program.\n\n\n\n                                                 3\n\x0cWe found that Western and Southwestern also had not established performance testing programs\nper Department policy to ensure the security of their critical assets. The lack of testing limits the\nPMAs\' ability to identify vulnerabilities and make improvements where necessary.\n\n                    Implementation of Recommended Security Enhancements\n\nWhile Bonneville and Western had installed many beneficial security enhancements to protect\ntheir critical assets, they had not, for the most part, implemented a major physical control system\nrecommended in previously completed risk assessments for critical assets. Specifically, neither\nBonneville nor Western had implemented electronic perimeter intrusion motion detection and\nalarm systems to protect critical assets as recommended in the assessments. These systems were\nrecommended to protect high voltage equipment in the critical asset yard, including power circuit\nbreakers, capacitor banks which maintain power line voltage, and backup generators.\nSpecifically, Bonneville assessments conducted between 2001 and 2008 recommended the\ninstallation of electronic detection systems on 36 critical assets. As of February 2010, only\nseven such systems had been installed. Similarly, Western assessments conducted in 2002 and\n2008 recommended the installation of 24 electronic perimeter systems to protect critical assets.\nWestern implemented only 7 of the recommended 24 systems and also implemented systems for\n5 other critical assets which had not been recommended in the prior risk assessments. We were\nunable to determine why individual electronic perimeter intrusion systems had not been installed,\nor why other such systems were implemented when they had not been recommended, because, as\nnoted above, the applicable assessments had not been updated. As a result, Bonneville and\nWestern lacked documentation needed to justify their decisions to forego recommended\nenhancements and accept the additional risk.\n\nWestern and Bonneville officials told us that they had not made the improvements, in general,\nbecause perimeter intrusion systems were subject to false alarms. However, officials\nacknowledged that, currently, false alarm concerns are of less importance because perimeter\nintrusion technology had improved since the assessments were completed.\n\nThe potential risks and negative consequences due to the lack of a perimeter intrusion detection\nsystem to protect equipment in the critical asset yard are significant. For example, at one site,\nBonneville\'s assessment noted that, without a perimeter system, the ability to detect, delay and\nassess intrusion of the facility was low and that the potential negative consequences of such an\nevent could include loss of life, economic losses to revenue and property in excess of\n$50 million, and loss of ability to transfer power to large population centers.\n\nFurther, although Western and Southwestern had developed tracking systems to document the\ndisposition of recommended security improvements, Bonneville had not.\n\n                                           Risks of Harm\n\nProtecting critical infrastructure is essential to the Nation\'s security and economic vitality. Any\nsuccessful infrastructure attack, especially given Bonneville, Western and Southwestern\'s scope\nof operations, could significantly disrupt the functioning of government and business, potentially\nproducing a cascading effect far beyond the physical location of the incident. The PMAs have\n\n                                                  4\n\x0cvery costly infrastructures, including control centers, electrical transmission lines, and\nsubstations that deliver wholesale power to utilities which provide service in thousands of\nhomes, businesses and government agencies. Without appropriate assessments, testing, and\nprotection, these assets are at risk of unauthorized access, theft, or sabotage that could result in\nsignificant physical and economic damage. These concerns are not merely theoretical. In\nSeptember 2009, intruders broke into one of Bonneville\'s critical substations through the\nperimeter fence and started a fire that resulted in loss of power to two 500 kilovolt lines and the\nsubstation. Bonneville preliminarily estimated the damages at $750,000. Intruders had also\nbroken into this substation in 2008. A 2002 RAM-T assessment on the substation had\nrecommended installation of an electronic perimeter intrusion detection system as necessary to\nprotect one of the site\'s "most vulnerable" areas. Bonneville had neither implemented the 2002\nrecommendation nor updated the substation\'s assessment to reflect the reasons it had decided to\nforego the enhancement. Thieves also broke into another of Bonneville\'s substations in 2008,\nagain through the perimeter. Bonneville had not completed a RAM-T assessment of this critical\nasset. Bonneville officials acknowledged these risks and told us that they had initiated a security\ntechnology application partnership with the Department in November 2009 to implement a state-\nof-the-art perimeter intrusion detection system at the critical asset where the September 2009\nintrusion occurred. In addition, Bonneville officials stated that they are submitting for review a\nrisk-based proposal for installation of perimeter intrusion detection systems at the most critical\nlocations.\n\n                                           Impediments\n\nOfficials at all three PMAs stated that they understand the risks and vulnerabilities associated\nwith their critical infrastructure, but that they simply did not have the resources needed to\ncomply with all requirements. They contended that they had used available resources for higher\npriorities. In 2006, for example, Bonneville had identified the resources needed to implement\nrecommended enhancements, such as perimeter intrusion detection systems. However, new\nNERC CIP requirements effective in 2006, such as installing access card readers and establishing\ncyber security protection protocols for critical assets, diverted PMA resources.\n\nIn addition to the lack of resources, Western and Southwestern officials reported that they were\nunclear about the applicability of security performance testing policies, since the operating\nenvironment of the PMAs differs from other entities in the Department, for example, in regard to\nnuclear oversight. Western and Southwestern acknowledged the policies applied when we\nshowed them that the PMAs had been identified in the lists of applicable entities included in the\nDepartment\'s directives.\n\nRECOMMENDATIONS\n\nTo help reduce the risk of damage to critical power-related assets, we recommend that the\nAdministrators of the Bonneville, Western Area, and Southwestern Power Administrations:\n\n     1. Reevaluate resource allocation priorities with a view toward completing required\n        assessments and implementing needed protective measures;\n\n\n\n                                                 5\n\x0c     2. Establish and implement policies and resource-loaded schedules to ensure that critical\n        asset vulnerability and risk assessments are conducted and updated timely and that the\n        status, decisions, and justifications regarding implementation of recommended security\n        enhancements are documented; and,\n\n     3. Implement security system performance-based testing consistent with Department\n        policies.\n\nMANAGEMENT COMMENTS AND AUDITOR RESPONSE\n\nBonneville, Western, and Southwestern generally agreed with the recommendations and\nprovided planned actions which were responsive to the report findings and recommendations.\nHowever, Bonneville and Southwestern stated that the report did not fully acknowledge the full\nscope of their efforts to protect their critical assets and to utilize other tools and methodologies to\nassess risks and vulnerabilities. These included extensive efforts to implement additional\nenhancements to comply with NERC CIP critical cyber asset standards.\n\nWe agree that the additional assessments completed and enhancements implemented by the\nPMAs to comply with NERC CIP standards provided increased physical security protection of\nthe PMA\'s critical cyber assets and revised the report accordingly to recognize these efforts. The\ncomments by each of the PMAs, which are included in their entirety in Attachment 3, further\nelaborate on these efforts. However, as discussed in the report, the PMA actions to ensure that\nsecurity over critical cyber assets comply with NERC CIP standards, do not fully address the\nrisks and vulnerabilities of non-cyber critical assets. The report identified additional areas of\nimprovement and associated recommended actions to strengthen the PMAs existing efforts to\nwhich the PMAs, to their credit, provided responsive action plans.\n\nAttachments\n\ncc: Deputy Secretary\n    Chief of Staff\n    Chief Health, Safety, and Security Officer, HS-1\n\n\n\n\n                                                   6\n\x0c                                                                                   Attachment 1\n\n\n\n                      OBJECTIVE, SCOPE, AND METHODOLOGY\n\n\nOBJECTIVE\n\nThe audit objective was to determine whether the Power Marketing Administrations (PMAs) had\nconducted vulnerability and risk assessments.\n\nSCOPE\n\nThe audit was performed from August 2009 to August 2010, at the Department of Energy\'s\n(Department) Bonneville Power Administration in Portland, Oregon; Southwestern Power\nAdministration in Tulsa, Oklahoma; and, Western Area Power Administration in Lakewood,\nColorado. We excluded the Department\'s Southeastern Power Administration in Elberton,\nGeorgia, because it does not own transmission assets.\n\nMETHODOLOGY\n\nTo accomplish our objective, we:\n\n      Reviewed Department, North American Electric Reliability Corporation and PMA\n      security planning, protection, and assessment laws, regulations, policies and procedures;\n\n      Reviewed PMA documents and electronic spreadsheets used as the basis for conducting\n      and updating critical asset vulnerability and risk assessments;\n\n      Interviewed key PMA and Department officials responsible for implementing security\n      protection policies and procedures regarding critical asset vulnerability and risk\n      assessments; and,\n\n      Reviewed prior Office of Inspector General and Government Accountability Office\n      reports.\n\nWe conducted this performance audit in accordance with generally accepted Government\nauditing standards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions\nbased on our audit objective. We believe that the evidence obtained provides a reasonable basis\nfor our findings and conclusions based on our audit objective. The audit included tests of\ncontrols and compliance with laws and regulations related to PMA critical asset vulnerability and\nrisk assessments. Because our review was limited, it would not necessarily have disclosed all\ninternal control deficiencies that may have existed at the time of our audit. We also assessed\nperformance measures in accordance with the Government Performance and Results Act of 1993\nand found that the PMAs had not established performance measures specifically related to\nconducting and updating critical asset vulnerability and risk assessments. We did not assess the\n\n\n                                               7\n\x0c                                                                    Attachment 1 (continued)\n\n\nreliability of computer-processed data since we did not rely on it to accomplish our audit\nobjective. Exit conferences were held with Southwestern and Bonneville on September 27 and\n28, 2010, respectively. Western waived the exit conference.\n\n\n\n\n                                             8\n\x0c                                                                                     Attachment 2\n\n\n                                      PRIOR AUDIT REPORTS\n\nOffice of Inspector General Reports\n\n   Power Marketing Administration Infrastructure Protection (OAS-B-03-01, April 2003)\n   disclosed concerns regarding the Power Marketing Administration\'s (PMA) critical asset\n   assessment efforts. The report found that Bonneville had initiated, but not yet completed\n   vulnerability and risk assessments on its critical assets; Western Area Power Administration\n   had conducted assessments but they were inadequate; and, Southwestern Power\n   Administration had not conducted assessments. The report recommended the PMAs conduct\n   vulnerability and risk assessments on their critical assets and the PMAs agreed to do so.\n\nGovernment Accountability Office Report\n\n   Critical Infrastructure Protection: Challenges for Selected Agencies and Industry Sectors\n   (GAO-03-233, February 2003). This report found that four agencies, including the\n   Department of Energy, had not fully implemented Federal requirements to protect critical\n   infrastructure from attack. The report also stated that steps were needed to conduct and\n   update vulnerability assessments, correct identified vulnerabilities, and establish milestones\n   and resource requirements to complete these efforts. Finally, the report stated that the\n   assessments need to consider physical vulnerabilities of the assets as well as changes in the\n   threat environment.\n\n\n\n\n                                                9\n\x0c     Attachment 3\n\n\n\n\n10\n\x0c     Attachment 3 (continued)\n\n\n\n\n11\n\x0c     Attachment 3 (continued)\n\n\n\n\n12\n\x0c     Attachment 3 (continued)\n\n\n\n\n13\n\x0c     Attachment 3 (continued)\n\n\n\n\n14\n\x0c     Attachment 3 (continued)\n\n\n\n\n15\n\x0c                                                             IG Report No. DOE/IG-0842\n\n                           CUSTOMER RESPONSE FORM\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of\nits products. We wish to make our reports as responsive as possible to our customers\'\nrequirements, and, therefore, ask that you consider sharing your thoughts with us. On the\nback of this form, you may suggest improvements to enhance the effectiveness of future\nreports. Please include answers to the following questions if they are applicable to you:\n\n1. What additional background information about the selection, scheduling, scope, or\n   procedures of the inspection would have been helpful to the reader in understanding\n   this report?\n\n2. What additional information related to findings and recommendations could have\n   been included in the report to assist management in implementing corrective actions?\n\n3. What format, stylistic, or organizational changes might have made this report\'s\n   overall message more clear to the reader?\n\n4. What additional actions could the Office of Inspector General have taken on the\n   issues discussed in this report which would have been helpful?\n\n5. Please include your name and telephone number so that we may contact you should\n   we have any questions about your comments.\n\n\nName                                          Date\n\nTelephone                                     Organization\n\nWhen you have completed this form, you may telefax it to the Office of Inspector\nGeneral at (202) 586-0948, or you may mail it to:\n                           Office of Inspector General (IG-1)\n                                 Department of Energy\n                                Washington, DC 20585\n\n                              ATTN: Customer Relations\n\nIf you wish to discuss this report or your comments with a staff member of the Office of\nInspector General, please contact Felicia Jones at (202) 253-2162.\n\x0cThis page intentionally left blank.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly and cost\n  effective as possible. Therefore, this report will be available electronically through the Internet at the\n                                             following address:\n\n                   U.S. Department of Energy Office of Inspector General Home Page\n                                       http://www.ig.energy.gov\n\n      Your comments would be appreciated and can be provided on the Customer Response Form.\n\x0c'